Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Greg Norcie on 2015-10-30 (public-media-capture@w3.org from October 2015)

From: Greg Norcie <gnorcie@cdt.org>
Date: Fri, 30 Oct 2015 09:14:51 -0400
To: Harald Alvestrand <harald@alvestrand.no>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, Eric Rescorla <ekr@rtfm.com>, Rigo Wenning <rigo@w3.org>, Martin Thomson <martin.thomson@gmail.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Nick Doty <npdoty@w3.org>, public-media-capture@w3.org
Message-ID: <CAMJgV7ZLR+QVGmaC7XsE+6QDm=AwxsCrsxsawBOs1+ZVXVg-rA@mail.gmail.com>

Crazy idea: Maybe we could take a page from DRM encumbered media?

Services like Netflix and Pandora will ask you to confirm you're still
listening/watching after some period of time. (30-60 minutes) of use.




On Thu, Oct 29, 2015 at 6:55 PM, Harald Alvestrand <harald@alvestrand.no>
wrote:

> On 10/29/2015 04:29 PM, Mike O'Neill wrote:
>
> So what would be a reasonable default, somewhere between a few hours and
> eternity?
>
>
> If it's easy to discover that the permission has been given and revoke it,
> I don't see a problem with "lifetime of browser profile" (which is slightly
> shorter than "eternity").
>
> In addition to the revocation available through the camera icon, Chrome
> has implemented clearing all permissions if an user clears cookies for a
> domain; the assumption is that if the user clears cookies, he's likely to
> want all relationships with that domain to "start from zero".
>
>
>
>
>
> Mike
>
>
>
>
>
> *From:* Eric Rescorla [mailto:ekr@rtfm.com <ekr@rtfm.com>]
> *Sent:* 29 October 2015 07:17
> *To:* Mike O'Neill <michael.oneill@baycloud.com>
> <michael.oneill@baycloud.com>
> *Cc:* Rigo Wenning <rigo@w3.org> <rigo@w3.org>; Martin Thomson
> <martin.thomson@gmail.com> <martin.thomson@gmail.com>; public-privacy
> (W3C mailing list) <public-privacy@w3.org> <public-privacy@w3.org>;
> Mathieu Hofman <Mathieu.Hofman@citrix.com> <Mathieu.Hofman@citrix.com>;
> Harald Alvestrand <harald@alvestrand.no> <harald@alvestrand.no>; Nick
> Doty <npdoty@w3.org> <npdoty@w3.org>; public-media-capture@w3.org
> *Subject:* Re: Comments/Questions on Media Capture Streams – Privacy and
> Security Considerations
>
>
>
> There's really not much point in having a a persistent permission for
> camera
>
> and microphone that is measured in hours, because that means that the
>
> vast majority of times when people want to use these devices (like one
>
> video call every day or two) they will be prompted for permission.
>
>
>
> -Ekr
>
>
>
>
>
> On Thu, Oct 29, 2015 at 4:08 PM, Mike O'Neill <
> <michael.oneill@baycloud.com>michael.oneill@baycloud.com> wrote:
>
> Even when there is a visual indication people can miss it or not understand
> what it is . Given the sensitivity of having a "hot" mike/camera,
> persistent
> permissions should also have an expiry so even if people are unaware of
> them
> they will not be there for perpetuity.
>
> In general all permissions should have an expiry in my view, with the
> duration reported when the permission is requested. (i.e. this should be
> part of the permissions API, not just MediaCapture). Those that are less
> sensitive may have a longer duration but MediaCapture should be relatively
> short (hours?).
>
>
> Mike
>
>
>
> -----Original Message-----
> From: Rigo Wenning [mailto: <rigo@w3.org>rigo@w3.org]
> Sent: 29 October 2015 06:52
> To: Eric Rescorla < <ekr@rtfm.com>ekr@rtfm.com>
> Cc: Martin Thomson < <martin.thomson@gmail.com>martin.thomson@gmail.com>;
> public-privacy (W3C mailing
> list) <public-privacy@w3.org>; Mathieu Hofman <Mathieu.Hofman@citrix.com>;
> Harald Alvestrand < <harald@alvestrand.no>harald@alvestrand.no>; Nick
> Doty <npdoty@w3.org>;
> public-media-capture@w3.org
> Subject: Re: Comments/Questions on Media Capture Streams – Privacy and
> Security Considerations
>
> On Thursday 29 October 2015 15:37:12 Eric Rescorla wrote:
> > On Thu, Oct 29, 2015 at 3:35 PM, Rigo Wenning <rigo@w3.org> wrote:
> > > On Thursday 29 October 2015 15:04:05 Eric Rescorla wrote:
> > > > Chrome and Firefox do both of the two things listed in this quoted
> block
> > > >
> > > > 1. Inform the user that the devices are hot.
> > >
> > > Ok, in this case I can understand that if one has a visual indication
> that
> > > mic
> > > and camera are "on" the need for an additional prompt is somewhat moot.
> > >
> > > > 2. Provide mechanisms for revoking consent.
> > >
> > > This is then a question of usability. Is clicking on the visual
> indication
> > > allowing to revoke the consent/permission?
> >
> > Yes, generally.
>
> In this case, my earlier criticism was based on insufficient information. I
> think this does what it is supposed to do. I still think that persistent
> (forever) permissions are a mistake. But this is mitigated by the fact that
> the browser indicates when mic and camera are "on".
>
>  --Rigo
>
>
>
>
>
> --
> Surveillance is pervasive. Go Dark.
>
>


-- 
/***********************************/

*Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*

*Staff Technologist*
*Center for Democracy & Technology*
1634 Eye St NW Suite 1100
Washington DC 20006
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

Fingerprint:
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/

Received on Friday, 30 October 2015 14:28:41 UTC